MITRE ATT&CK Technique
Description
In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple's Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution. Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command <code>xattr /path/to/MyApp.app</code> for <code>com.apple.quarantine</code>. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, <code>sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app</code>. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X) In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-12-14T16:46:06.044Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'In macOS and OS X, when applications or programs are '
'downloaded from the internet, there is a special attribute '
'set on the file called <code>com.apple.quarantine</code>. '
"This attribute is read by Apple's Gatekeeper defense program "
'at execution time and provides a prompt to the user to allow '
'or deny execution. \n'
'\n'
'Apps loaded onto the system from USB flash drive, optical '
'disk, external hard drive, or even from a drive shared over '
'the local network won’t set this flag. Additionally, other '
'utilities or events like drive-by downloads don’t necessarily '
'set it either. This completely bypasses the built-in '
'Gatekeeper check. (Citation: Methods of Mac Malware '
'Persistence) The presence of the quarantine flag can be '
'checked by the xattr command <code>xattr '
'/path/to/MyApp.app</code> for '
'<code>com.apple.quarantine</code>. Similarly, given sudo '
'access or elevated permission, this attribute can be removed '
'with xattr as well, <code>sudo xattr -r -d '
'com.apple.quarantine /path/to/MyApp.app</code>. (Citation: '
'Clearing quarantine attribute) (Citation: OceanLotus for OS '
'X)\n'
' \n'
'In typical operation, a file will be downloaded from the '
'internet and given a quarantine flag before being saved to '
'disk. When the user tries to open the file or application, '
'macOS’s gatekeeper will step in and check for the presence of '
'this flag. If it exists, then macOS will then prompt the user '
'to confirmation that they want to run the program and will '
'even provide the URL where the application came from. '
'However, this is all based on the file being downloaded from '
'a quarantine-savvy application. (Citation: Bypassing '
'Gatekeeper)',
'external_references': [{'external_id': 'T1144',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1144'},
{'description': 'Patrick Wardle. (2014, September). '
'Methods of Malware Persistence on '
'Mac OS X. Retrieved July 5, 2017.',
'source_name': 'Methods of Mac Malware Persistence',
'url': 'https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf'},
{'description': 'Rich Trouton. (2012, November 20). '
'Clearing the quarantine extended '
'attribute from downloaded '
'applications. Retrieved July 5, '
'2017.',
'source_name': 'Clearing quarantine attribute',
'url': 'https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/'},
{'description': 'Eddie Lee. (2016, February 17). '
'OceanLotus for OS X - an Application '
'Bundle Pretending to be an Adobe '
'Flash Update. Retrieved July 5, '
'2017.',
'source_name': 'OceanLotus for OS X',
'url': 'https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update'},
{'description': 'Thomas Reed. (2016, March 31). '
"Bypassing Apple's Gatekeeper. "
'Retrieved July 5, 2017.',
'source_name': 'Bypassing Gatekeeper',
'url': 'https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/'}],
'id': 'attack-pattern--6fb6408c-0db3-41d9-a3a1-a32e5f16454e',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:56.162Z',
'name': 'Gatekeeper Bypass',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': True,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['macOS'],
'x_mitre_version': '1.2'}